Ability to change settings with a registered (non-admin) user allows us to trigger an Arbitrary File Disclosure vulnerability with any path of our choosing. One limitation with this vulnerability is that the target user (in the PoC, test ) needs to have an account on the Cart66 installation.